AWSTemplateFormatVersion: 2010-09-09

Description: Workload Discovery on AWS Opensearch Roles Stack

Parameters:
  CreateOpensearchServiceRole:
    Type: String

Conditions:
  DeployOpensearchServiceRole: !Equals [!Ref CreateOpensearchServiceRole, 'Yes']

Resources:
  # As this stack has no dependencies it should be created first giving sufficient time for
  # the IAM role to have propagated before the creation of the ES cluster.
  ElasticSearchServiceLinkedRole:
    Type: AWS::IAM::ServiceLinkedRole
    Condition: DeployOpensearchServiceRole
    Properties:
      AWSServiceName: es.amazonaws.com
      Description: Role to enable Amazon ES to manage your cluster.

  # Needs to be in here to avoid a circular dependency between the Search lambda stack
  # and the Elasticsearch db stack
  SearchLambdaRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
        - arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
            Action:
              - sts:AssumeRole

Outputs:
  OpenSearchLambdaRoleArn:
    Description: Search function required for OpenSearch cluster access role Arn
    Value: !GetAtt SearchLambdaRole.Arn